Techly NewsGet the app

Get the latest tech news

Preventing ZIP parser confusion attacks on Python package installers


PyPI will begin warning and will later reject wheels that contain differentiable ZIP features or incorrect RECORD files.

This leads to the ambiguous situation today where no one installer can start enforcing standards without accidentally "breaking" projects and archives that already exist on PyPI. PyPI will also begin sending emails to warn users when wheels are published whose ZIP contents don't match the included RECORD metadata file. After 6 months of warnings, on February 1st, 2026, PyPI will begin rejecting newly uploaded wheels whose ZIP contents don't match the included RECORD metadata file.

Get the Android app

Or read this on Hacker News

Read more on:

Photo of PyPI

PyPI

Related news:

News photo

Hackers target Python devs in phishing attacks using fake PyPI site

News photo

Making PyPI's test suite faster

News photo

Malicious PyPi package hides RAT malware, targets Discord devs since 2022

« Jepsen: Capela dda5892
This AirTag key organizer has survived the ultimate torture test - and I'd buy it again any time »